Admin ConsoleUser Management

Ping Identity SCIM Integration

System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization.

note

SCIM Integrations are available for Enterprise organizations. Teams organizations, or customers not using a SCIM-compatible identity provider, may consider using Directory Connector as an alternative means of provisioning.

This article will help you configure a SCIM integration with Ping Identity. Configuration involves working simultaneously with the Bitwarden web vault and Ping Identity Administrator dashboard. As you proceed, we recommend having both readily available and completing steps in the order they are documented.

Enable SCIM

note

Are you self-hosting Bitwarden? If so, complete these steps to enable SCIM for your server before proceeding.

To start your SCIM integration, open the Admin Console and navigate to Settings SCIM provisioning:

SCIM provisioning
SCIM provisioning

Select the Enable SCIM checkbox and take note of your SCIM URL and SCIM API Key. You will need to use both values in a later step.

Create a SCIM app

  1. Navigate to provisioning New Connection.

    Ping Identity new Connection
    Ping Identity new Connection
  2. In the Create a New Connection window, choose the Select option for Identity Store.

  3. In the Identity Store, enter SCIM into the search box and select SCIM Outbound. Once this step is complete, select Next.

    SCIM Connection
    SCIM Connection
  4. Input a Name and Description for the SCIM connection.

  5. Next, you will be required to input the SCIM BASE URL. Copy the SCIM URL value located on the Enable SCIM page in the Bitwarden Admin Console and paste it into this field.

  6. Using the Authentication Method dropdown menu, select OAuth 2 Bearer Token. A field will appear named Oauth Access Token, paste the SCIM API key value from the Bitwarden Admin Console into this field.

    Ping Identity SCIM connection test
    Ping Identity SCIM connection test
  7. Once setup is complete, you may select Test Connection. If successful, select Next.

  8. On the Configure Preferences page, select desired preferences and actions.

    note

    Setting the Remove Action setting to Disable will result in Bitwarden users being moved to Revoked status rather if the user fails to meet the filter criteria set on Ping Identity. Restoring the criteria will return the user to their previous state.

    If the Remove Action is set to Delete, the same action will deprovision the user.

  9. Select Save once complete. Select the newly created Connection and enable the Connection using the toggle.

    Enable Ping Identity Connection
    Enable Ping Identity Connection

Create a Rule

Before syncing user groups and directories, a Rule is required to sync the user groups to Bitwarden SCIM.

  1. Return to the Provisioning Screen.

  2. Select the Rules tab and then New Rule.

  3. Enter an app specific name for the Rule and select Create Rule.

  4. Edit the new Rule in the Configuration tab. Select Bitwarden SCIM connection and then Save.

    Ping Identity Rule
    Ping Identity Rule

  5. Select the Configuration tab and add a User Filter. For more information, see the Ping Identity documentation. Select Save once complete.

    Ping Identity User Filter
    Ping Identity User Filter
  6. Enable the Rule using the toggle.

    Ping Identity new Rule
    Ping Identity new Rule

Provision groups

  1. To assign groups, return to the Provisioning screen and select the rule Edit Group Provisioning.

    Edit group provisioning
    Edit group provisioning

  2. Choose the group or groups to provision and select Save. Once saved, the directory will trigger a sync.

Appendix

Required attributes

Both the Bitwarden and Ping Identity SCIM Provisioner with SAML (SCIM v2 Enterprise) applications use standard SCIM v2 attribute names. Bitwarden will use the following attributes:

User attributes

  • active

  • emailsª or userName

  • displayName

  • externalId

ª - Because SCIM allows users to have multiple email addresses expressed as an array of objects, Bitwarden will use the value of the object which contains "primary": true.

Group attributes

For each group, Bitwarden will use the following attributes:

  • displayName (required)

  • membersª

  • externalId

ª - members is an array of objects, each object representing a user in that group.

Suggest changes to this page

How can we improve this page for you?
For technical, billing, and product questions, please contact support

Cloud Status

Check status

Level up your cybersecurity knowledge.

Subscribe to the newsletter.


© 2024 Bitwarden, Inc. Terms Privacy Cookie Settings Sitemap

This site is available in English.
Go to EnglishStay Here